Clear secrets from request for klog print in logGRPC()

Malicious user can put a secret in request as explained here: #1372.
kubernetes-sigs · Oct 30, 2023 · a618653 · a618653
1 parent b105d5a
commit a618653
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkg/gce-pd-csi-driver/utils.go b/pkg/gce-pd-csi-driver/utils.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"reflect"
 
 	csi "github.com/container-storage-interface/spec/lib/go/csi"
 	"google.golang.org/grpc"
@@ -63,6 +64,17 @@ func logGRPC(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, h
 	// Note that secrets are not included in any RPC message. In the past protosanitizer and other log
 	// stripping was shown to cause a significant increase of CPU usage (see
 	// https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/356#issuecomment-550529004).
+	// However malicious user still can put a secret in request as explained here:
+	// https://github.com/kubernetes-sigs/gcp-compute-persistent-disk-csi-driver/issues/1372
+	// Reflect magic below simply clears Secrets map from request.
+	v := reflect.ValueOf(&req).Elem()
+	e := reflect.New(v.Elem().Type()).Elem()
+	e.Set(v.Elem())
+	f := reflect.Indirect(e).FieldByName("Secrets")
+	if f.IsValid() && f.CanSet() && f.Kind() == reflect.Map {
+		f.Set(reflect.MakeMap(f.Type()))
+		v.Set(e)
+	}
 	klog.V(4).Infof("%s called with request: %s", info.FullMethod, req)
 	resp, err := handler(ctx, req)
 	if err != nil {